1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <grp.h> 27 #include "ldap_common.h" 28 #include <string.h> 29 30 /* String which may need to be removed from beginning of group password */ 31 #define _CRYPT "{CRYPT}" 32 #define _NO_PASSWD_VAL "" 33 34 /* Group attributes filters */ 35 #define _G_NAME "cn" 36 #define _G_GID "gidnumber" 37 #define _G_PASSWD "userpassword" 38 #define _G_MEM "memberuid" 39 40 #define _F_GETGRNAM "(&(objectClass=posixGroup)(cn=%s))" 41 #define _F_GETGRNAM_SSD "(&(%%s)(cn=%s))" 42 #define _F_GETGRGID "(&(objectClass=posixGroup)(gidNumber=%u))" 43 #define _F_GETGRGID_SSD "(&(%%s)(gidNumber=%u))" 44 /* 45 * Group membership can be defined by either username or DN, so when searching 46 * for groups by member we need to consider both. The first parameter in the 47 * filter is replaced by username, the second by DN. 48 */ 49 #define _F_GETGRMEM \ 50 "(&(objectClass=posixGroup)(|(memberUid=%s)(memberUid=%s)))" 51 #define _F_GETGRMEM_SSD "(&(%%s)(|(memberUid=%s)(memberUid=%s)))" 52 53 /* 54 * Copied from getpwnam.c, needed to look up user DN. 55 * Would it be better to move to ldap_common.h rather than duplicate? 56 */ 57 #define _F_GETPWNAM "(&(objectClass=posixAccount)(uid=%s))" 58 #define _F_GETPWNAM_SSD "(&(%%s)(uid=%s))" 59 60 static const char *gr_attrs[] = { 61 _G_NAME, 62 _G_GID, 63 _G_PASSWD, 64 _G_MEM, 65 (char *)NULL 66 }; 67 68 69 /* 70 * _nss_ldap_group2str is the data marshaling method for the group getXbyY 71 * (e.g., getgrnam(), getgrgid(), getgrent()) backend processes. This method 72 * is called after a successful ldap search has been performed. This method 73 * will parse the ldap search values into the file format. 74 * e.g. 75 * 76 * adm::4:root,adm,daemon 77 * 78 */ 79 80 static int 81 _nss_ldap_group2str(ldap_backend_ptr be, nss_XbyY_args_t *argp) 82 { 83 int i; 84 int nss_result; 85 int buflen = 0, len; 86 int firstime = 1; 87 char *buffer = NULL; 88 ns_ldap_result_t *result = be->result; 89 char **gname, **passwd, **gid, *password, *end; 90 char gid_nobody[NOBODY_STR_LEN]; 91 char *gid_nobody_v[1]; 92 char *member_str, *strtok_state; 93 ns_ldap_attr_t *members; 94 95 (void) snprintf(gid_nobody, sizeof (gid_nobody), "%u", GID_NOBODY); 96 gid_nobody_v[0] = gid_nobody; 97 98 if (result == NULL) 99 return (NSS_STR_PARSE_PARSE); 100 buflen = argp->buf.buflen; 101 102 if (argp->buf.result != NULL) { 103 if ((be->buffer = calloc(1, buflen)) == NULL) { 104 nss_result = NSS_STR_PARSE_PARSE; 105 goto result_grp2str; 106 } 107 buffer = be->buffer; 108 } else 109 buffer = argp->buf.buffer; 110 111 nss_result = NSS_STR_PARSE_SUCCESS; 112 (void) memset(buffer, 0, buflen); 113 114 gname = __ns_ldap_getAttr(result->entry, _G_NAME); 115 if (gname == NULL || gname[0] == NULL || (strlen(gname[0]) < 1)) { 116 nss_result = NSS_STR_PARSE_PARSE; 117 goto result_grp2str; 118 } 119 passwd = __ns_ldap_getAttr(result->entry, _G_PASSWD); 120 if (passwd == NULL || passwd[0] == NULL || (strlen(passwd[0]) == 0)) { 121 /* group password could be NULL, replace it with "" */ 122 password = _NO_PASSWD_VAL; 123 } else { 124 /* 125 * Preen "{crypt}" if necessary. 126 * If the password does not include the {crypt} prefix 127 * then the password may be plain text. And thus 128 * perhaps crypt(3c) should be used to encrypt it. 129 * Currently the password is copied verbatim. 130 */ 131 if (strncasecmp(passwd[0], _CRYPT, strlen(_CRYPT)) == 0) 132 password = passwd[0] + strlen(_CRYPT); 133 else 134 password = passwd[0]; 135 } 136 gid = __ns_ldap_getAttr(result->entry, _G_GID); 137 if (gid == NULL || gid[0] == NULL || (strlen(gid[0]) < 1)) { 138 nss_result = NSS_STR_PARSE_PARSE; 139 goto result_grp2str; 140 } 141 /* Validate GID */ 142 if (strtoul(gid[0], &end, 10) > MAXUID) 143 gid = gid_nobody_v; 144 len = snprintf(buffer, buflen, "%s:%s:%s:", gname[0], password, gid[0]); 145 TEST_AND_ADJUST(len, buffer, buflen, result_grp2str); 146 147 members = __ns_ldap_getAttrStruct(result->entry, _G_MEM); 148 if (members == NULL || members->attrvalue == NULL) { 149 /* no member is fine, skip processing the member list */ 150 goto nomember; 151 } 152 153 for (i = 0; i < members->value_count; i++) { 154 if (members->attrvalue[i] == NULL) { 155 nss_result = NSS_STR_PARSE_PARSE; 156 goto result_grp2str; 157 } 158 /* 159 * If we find an '=' in the member attribute value, treat it as 160 * a DN, otherwise as a username. 161 */ 162 if (member_str = strchr(members->attrvalue[i], '=')) { 163 member_str++; /* skip over the '=' */ 164 /* Fail if we can't pull a username out of the RDN */ 165 if (! (member_str = strtok_r(member_str, 166 ",", &strtok_state))) { 167 nss_result = NSS_STR_PARSE_PARSE; 168 goto result_grp2str; 169 } 170 } else { 171 member_str = members->attrvalue[i]; 172 } 173 if (*member_str != '\0') { 174 if (firstime) { 175 len = snprintf(buffer, buflen, "%s", 176 member_str); 177 TEST_AND_ADJUST(len, buffer, buflen, 178 result_grp2str); 179 firstime = 0; 180 } else { 181 len = snprintf(buffer, buflen, ",%s", 182 member_str); 183 TEST_AND_ADJUST(len, buffer, buflen, 184 result_grp2str); 185 } 186 } 187 } 188 nomember: 189 /* The front end marshaller doesn't need the trailing nulls */ 190 if (argp->buf.result != NULL) 191 be->buflen = strlen(be->buffer); 192 result_grp2str: 193 (void) __ns_ldap_freeResult(&be->result); 194 return (nss_result); 195 } 196 197 /* 198 * getbynam gets a group entry by name. This function constructs an ldap 199 * search filter using the name invocation parameter and the getgrnam search 200 * filter defined. Once the filter is constructed, we searche for a matching 201 * entry and marshal the data results into struct group for the frontend 202 * process. The function _nss_ldap_group2ent performs the data marshaling. 203 */ 204 205 static nss_status_t 206 getbynam(ldap_backend_ptr be, void *a) 207 { 208 nss_XbyY_args_t *argp = (nss_XbyY_args_t *)a; 209 char searchfilter[SEARCHFILTERLEN]; 210 char userdata[SEARCHFILTERLEN]; 211 char groupname[SEARCHFILTERLEN]; 212 int ret; 213 214 if (_ldap_filter_name(groupname, argp->key.name, sizeof (groupname)) != 215 0) 216 return ((nss_status_t)NSS_NOTFOUND); 217 218 ret = snprintf(searchfilter, sizeof (searchfilter), 219 _F_GETGRNAM, groupname); 220 if (ret >= sizeof (searchfilter) || ret < 0) 221 return ((nss_status_t)NSS_NOTFOUND); 222 223 ret = snprintf(userdata, sizeof (userdata), _F_GETGRNAM_SSD, groupname); 224 if (ret >= sizeof (userdata) || ret < 0) 225 return ((nss_status_t)NSS_NOTFOUND); 226 227 return ((nss_status_t)_nss_ldap_lookup(be, argp, 228 _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata)); 229 } 230 231 232 /* 233 * getbygid gets a group entry by number. This function constructs an ldap 234 * search filter using the name invocation parameter and the getgrgid search 235 * filter defined. Once the filter is constructed, we searche for a matching 236 * entry and marshal the data results into struct group for the frontend 237 * process. The function _nss_ldap_group2ent performs the data marshaling. 238 */ 239 240 static nss_status_t 241 getbygid(ldap_backend_ptr be, void *a) 242 { 243 nss_XbyY_args_t *argp = (nss_XbyY_args_t *)a; 244 char searchfilter[SEARCHFILTERLEN]; 245 char userdata[SEARCHFILTERLEN]; 246 int ret; 247 248 if (argp->key.uid > MAXUID) 249 return ((nss_status_t)NSS_NOTFOUND); 250 251 ret = snprintf(searchfilter, sizeof (searchfilter), 252 _F_GETGRGID, argp->key.uid); 253 if (ret >= sizeof (searchfilter) || ret < 0) 254 return ((nss_status_t)NSS_NOTFOUND); 255 256 ret = snprintf(userdata, sizeof (userdata), 257 _F_GETGRGID_SSD, argp->key.uid); 258 if (ret >= sizeof (userdata) || ret < 0) 259 return ((nss_status_t)NSS_NOTFOUND); 260 261 return ((nss_status_t)_nss_ldap_lookup(be, argp, 262 _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata)); 263 264 } 265 266 267 /* 268 * getbymember returns all groups a user is defined in. This function 269 * uses different architectural procedures than the other group backend 270 * system calls because it's a private interface. This function constructs 271 * an ldap search filter using the name invocation parameter. Once the 272 * filter is constructed, we search for all matching groups counting 273 * and storing each group name, gid, etc. Data marshaling is used for 274 * group processing. The function _nss_ldap_group2ent() performs the 275 * data marshaling. 276 * 277 * (const char *)argp->username; (size_t)strlen(argp->username); 278 * (gid_t)argp->gid_array; (int)argp->maxgids; 279 * (int)argp->numgids; 280 */ 281 282 static nss_status_t 283 getbymember(ldap_backend_ptr be, void *a) 284 { 285 int i, j, k; 286 int gcnt = (int)0; 287 char **groupvalue, **membervalue, *member_str; 288 char *strtok_state; 289 nss_status_t lstat; 290 struct nss_groupsbymem *argp = (struct nss_groupsbymem *)a; 291 char searchfilter[SEARCHFILTERLEN]; 292 char userdata[SEARCHFILTERLEN]; 293 char name[SEARCHFILTERLEN]; 294 ns_ldap_result_t *result; 295 ns_ldap_entry_t *curEntry; 296 char *username, **dn_attr, *dn; 297 gid_t gid; 298 int ret; 299 300 if (strcmp(argp->username, "") == 0 || 301 strcmp(argp->username, "root") == 0) 302 return ((nss_status_t)NSS_NOTFOUND); 303 304 if (_ldap_filter_name(name, argp->username, sizeof (name)) != 0) 305 return ((nss_status_t)NSS_NOTFOUND); 306 307 ret = snprintf(searchfilter, sizeof (searchfilter), _F_GETPWNAM, name); 308 if (ret >= sizeof (searchfilter) || ret < 0) 309 return ((nss_status_t)NSS_NOTFOUND); 310 311 ret = snprintf(userdata, sizeof (userdata), _F_GETPWNAM_SSD, name); 312 if (ret >= sizeof (userdata) || ret < 0) 313 return ((nss_status_t)NSS_NOTFOUND); 314 315 /* 316 * Look up the user DN in ldap. If it's not found, search solely by 317 * username. 318 */ 319 lstat = (nss_status_t)_nss_ldap_nocb_lookup(be, NULL, 320 _PASSWD, searchfilter, NULL, _merge_SSD_filter, userdata); 321 if (lstat != (nss_status_t)NS_LDAP_SUCCESS) 322 return ((nss_status_t)lstat); 323 324 if (be->result == NULL || 325 !(dn_attr = __ns_ldap_getAttr(be->result->entry, "dn"))) 326 dn = name; 327 else 328 dn = dn_attr[0]; 329 330 ret = snprintf(searchfilter, sizeof (searchfilter), _F_GETGRMEM, name, 331 dn); 332 if (ret >= sizeof (searchfilter) || ret < 0) 333 return ((nss_status_t)NSS_NOTFOUND); 334 335 ret = snprintf(userdata, sizeof (userdata), _F_GETGRMEM_SSD, name, 336 dn); 337 if (ret >= sizeof (userdata) || ret < 0) 338 return ((nss_status_t)NSS_NOTFOUND); 339 340 /* 341 * Free up resources from user DN search before performing group 342 * search. 343 */ 344 (void) __ns_ldap_freeResult((ns_ldap_result_t **)&be->result); 345 346 gcnt = (int)argp->numgids; 347 lstat = (nss_status_t)_nss_ldap_nocb_lookup(be, NULL, 348 _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata); 349 if (lstat != (nss_status_t)NS_LDAP_SUCCESS) 350 return ((nss_status_t)lstat); 351 if (be->result == NULL) 352 return (NSS_NOTFOUND); 353 username = (char *)argp->username; 354 result = (ns_ldap_result_t *)be->result; 355 curEntry = (ns_ldap_entry_t *)result->entry; 356 for (i = 0; i < result->entries_count; i++) { 357 membervalue = __ns_ldap_getAttr(curEntry, "memberUid"); 358 if (membervalue) { 359 for (j = 0; membervalue[j]; j++) { 360 /* 361 * If we find an '=' in the member attribute 362 * value, treat it as a DN, otherwise as a 363 * username. 364 */ 365 if (member_str = strchr(membervalue[j], '=')) { 366 member_str++; /* skip over the '=' */ 367 member_str = strtok_r(member_str, ",", 368 &strtok_state); 369 } else { 370 member_str = membervalue[j]; 371 } 372 if (member_str && 373 strcmp(member_str, username) == NULL) { 374 groupvalue = __ns_ldap_getAttr(curEntry, 375 "gidnumber"); 376 gid = (gid_t)strtol(groupvalue[0], 377 (char **)NULL, 10); 378 if (argp->numgids < argp->maxgids) { 379 for (k = 0; k < argp->numgids; 380 k++) { 381 if (argp->gid_array[k] 382 == gid) 383 /* already exists */ 384 break; 385 } 386 if (k == argp->numgids) 387 argp->gid_array[argp->numgids++] 388 = gid; 389 } 390 break; 391 } 392 } 393 } 394 curEntry = curEntry->next; 395 } 396 397 (void) __ns_ldap_freeResult((ns_ldap_result_t **)&be->result); 398 if (gcnt == argp->numgids) 399 return ((nss_status_t)NSS_NOTFOUND); 400 401 /* 402 * Return NSS_SUCCESS only if array is full. 403 * Explained in <nss_dbdefs.h>. 404 */ 405 return ((nss_status_t)((argp->numgids == argp->maxgids) 406 ? NSS_SUCCESS 407 : NSS_NOTFOUND)); 408 } 409 410 static ldap_backend_op_t gr_ops[] = { 411 _nss_ldap_destr, 412 _nss_ldap_endent, 413 _nss_ldap_setent, 414 _nss_ldap_getent, 415 getbynam, 416 getbygid, 417 getbymember 418 }; 419 420 421 /*ARGSUSED0*/ 422 nss_backend_t * 423 _nss_ldap_group_constr(const char *dummy1, const char *dummy2, 424 const char *dummy3) 425 { 426 427 return ((nss_backend_t *)_nss_ldap_constr(gr_ops, 428 sizeof (gr_ops)/sizeof (gr_ops[0]), _GROUP, gr_attrs, 429 _nss_ldap_group2str)); 430 } 431